[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2013-6955 Synology DSM remote code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2013-6955 Synology DSM remote code execution
From: tiamat451@xxxxxxxxx
Date: Tue, 25 Mar 2014 15:18:25 GMT

Products Affected By CVE-2013-6955
Diskstation Manager 
4.0
4.2                             
4.3             4.3-3810                                 
Vendor: Synology
Status: Patched

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 
4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote 
attackers to append data to arbitrary files, and consequently execute arbitrary 
code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. 

http://www.synology.com/en-global/company/news/article/437

February 14, 2014?Synology® confirmed known security issues (reported as 
CVE-2013-6955 and CVE-2013-6987) which would cause compromise to file access 
authority in DSM. An updated DSM version resolving these issues has been 
released accordingly.

The followings are possible symptoms to appear on affected DiskStation and 
RackStation:

    Exceptionally high CPU usage detected in Resource Monitor:
    CPU resource occupied by processes such as dhcp.pid, minerd, synodns, 
PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names
    Appearance of non-Synology folder:
    An automatically created shared folder with the name ?startup?, or a 
non-Synology folder appearing under the path of ?/root/PWNED?
    Redirection of the Web Station:
    ?Index.php? is redirected to an unexpected page
    Appearance of non-Synology CGI program:
    Files with meaningless names exist under the path of ?/usr/syno/synoman?
    Appearance of non-Synology script file:
    Non-Synology script files, such as ?S99p.sh?, appear under the path of 
?/usr/syno/etc/rc.d?

If users identify any of above situation, they are strongly encouraged to do 
the following:

    For DiskStation or RackStation running on DSM 4.3, please follow the 
instruction here (http://www.synology.com/en-global/support/faq/348) to 
REINSTALL DSM 4.3-3827.
    For DiskStation or RackStation running on DSM 4.0, it?s recommended to 
REINSTALL DSM 4.0-2259 or onward from Synology Download Center.
    For DiskStation or RackStation running on DSM 4.1 or DSM 4.2, it?s 
recommended to REINSTALL DSM 4.2-3243 or onward from Synology Download Center 
(http://www.synology.com/en-global/support/download).

Confidentiality Impact  Complete (There is total information disclosure, 
resulting in all system files being revealed.)
Integrity Impact        Complete (There is a total compromise of system 
integrity. There is a complete loss of system protection, resulting in the 
entire system being compromised.)
Availability Impact     Complete (There is a total shutdown of the affected 
resource. The attacker can render the resource completely unavailable.)
Access Complexity       Low (Specialized access conditions or extenuating 
circumstances do not exist. Very little knowledge or skill is required to 
exploit. )
Authentication  Not required (Authentication is not required to exploit the 
vulnerability.)
Gained Access   None
Vulnerability Type(s)   Execute Code

This is also known as the /PWNED or /lolz hack.

Prev by Date: [CVE-2014-2531] SQL injection in InterWorx Web Control Panel <= 5.0.13
Next by Date: [security bulletin] HPSBMU02967 rev.2 - HP Unified Functional Testing Running on Windows, Remote Execution of Arbitrary Code
Previous by thread: [CVE-2014-2531] SQL injection in InterWorx Web Control Panel <= 5.0.13
Next by thread: [security bulletin] HPSBMU02967 rev.2 - HP Unified Functional Testing Running on Windows, Remote Execution of Arbitrary Code
Index(es):
- Date
- Thread